PassportRequireADMapping Metabase Property

By default, IIS 6.0 with .NET Passport authentication enabled tries to map the .NET Passport user to an account in Active Directory. This default behavior can create performance overhead for sites that do not accept .NET Passport Active Directory mapping. The mapping behavior can be controlled by the PassportRequireADMapping flag. The flag values are:

PassportRequireADMapping set to 0: IIS does not attempt Active Directory mapping. The request is handled as Anonymous User.

PassportRequireADMapping set to 1 (default setting): In this situation, the worker process must have TCB privileges (meaning, the worker process acts as part of the operating system). IIS then attempts to map to an Active Directory account (called LsaLogonUser). If this attempt fails, the request is handled as Anonymous User.

PassportRequireADMapping set to 2: IIS enforces a mapping from the .NET Passport account to an Active Directory account before returning the requested Web page. If the mapping fails, IIS returns a 401 error.